Date: 

8 May 2024

Author: 

PREO AG

On-Premise vs. Cloud


How consistent implementation significantly increases the level of safety

Ransomware, malware, DDoS attacks and much more - today's biggest cyber risks are increasingly becoming an existential economic threat for companies due to their potential dangers. This was confirmed again last year by the latest threat report from the EU Agency for Cybersecurity, ENISA.


The expansion of cloud services and infrastructures driven by current digital developments and the often overly careless use of cloud-based software products are opening up additional gateways for cyber criminals into company networks and creating increasingly complex IT and data security requirements. Our experience shows that, despite all the complexity, simple and proven security measures are sometimes overlooked. Yet consistent compliance with these measures in day-to-day work significantly increases cyber resilience.


In this blog post, we have summarised eight widely known measures that are very easy to implement within a company. We also show examples of why companies and public administrations with high demands on data security, sovereignty and availability as well as strict compliance guidelines in particular rely on the use of used software licences from PREO in on-prem operation.


Increase IT and data security - eight proven measures for companies

1. Regular updates and patches 

What is usually a matter of course, however, in everyday practice there are always gaps. This is mainly because it can easily take one or more days between being informed that a system or software update is available and the technical installation. This is where centralised administration, an automated early warning system and clearly defined processes help to install available updates and patches to close security gaps as quickly as possible.


2. Basic technologies to protect end devices and networks

Securing company networks with basic technologies remains fundamental, in particular comprehensive endpoint protection with up-to-date anti-virus software, a perimeter firewall for publicly available server endpoints or a web application firewall for external applications and for login or administrator portals, next-generation malware protection, including against phishing, and a secure VPN connection for all remote work processes.


3. Demand password discipline

Every organisation should have clear guidelines for strong passwords, which must contain a prescribed combination of letters, numbers and special characters. It can also be useful to implement the use of a password manager or multi-factor authentication (MFA) as additional security levels. The latter is recommended, among other things, for the use of external cloud-based software applications to prevent user accounts from being compromised.


4. Regular security training for employees 

Knowledge and its practical application in everyday situations is the key to avoiding phishing attacks and other fraud attempts. Regular training for managers and employees increases awareness of cyber security in the company many times over. This can also include incognito test attacks for particularly security-relevant areas in order to incorporate the results into the training and prepare employees for specific threat scenarios.


5. Restrictive assignment of access authorisations and role privileges 

Not every employee in the company needs all access rights. The sparing allocation of rights and privileges for individual employees, groups or organisational units as well as administrator roles is an effective measure to effectively prevent improper or careless handling of applications and resources.


6. Data security through frequent backup cycles 

Regular, closely timed backups of all relevant company data and their backup, preferably at an external location and separate from the existing network, ensure that data can be quickly restored and made available in the event of an attack. To this end, a recovery plan with clearly defined processes and responsibilities should be drawn up in order to be prepared in the event of an emergency.


7. Development of an incident response plan 

The development and implementation of an incident response plan is another important measure. This contains clear instructions on how to proceed in the event of a security incident. The plan should define roles and responsibilities, set out steps to contain the incident and include internal and external communication guidelines to ensure that all parties involved work together effectively to limit the impact and restore the original state.


8. Risk assessment and management 

Regular assessments of potential threats and possible security gaps within the IT infrastructure are becoming increasingly important. Based on the assessment results, it is advisable to develop a risk management strategy. This sets priorities for risk minimisation by addressing the most likely and most damaging attack scenarios and, if necessary, running them through in real test scenarios. In a further step, the review of third-party providers and their security practices can also be included to ensure that external partners fulfil the company's security standards or at least do not unintentionally counteract them.


Data security in the company - minimising the risk of cloud risks

The more companies move their work processes to the cloud, the more cyber criminals will try to attack potential vulnerabilities in cloud computing. It is no coincidence that the major global players are currently investing billions in their cloud infrastructures to ensure the greatest possible data security and availability of their cloud services for companies. However, in addition to external risks such as excessive provider dependency, which can be problematic not only in terms of security but also financially, cloud computing is also about identifying and minimising internal security risks such as cloud sprawl or shadow clouds.


Against this backdrop, many IT managers still shy away from moving completely to the cloud and predominantly rely on hybrid cloud models that continue to use on-prem software in some areas or even predominantly.  There is also an increase in the number of cases where companies are moving away from the cloud after a few years for reasons of data security, sovereignty and availability as well as financial considerations. Instead, they are relying on proven and efficient on-premise software and taking advantage of the benefits of used software licences, as the following example from a German medium-sized company impressively confirms:


More security, lower costs - Swedex relies on used software from PREO

The Essen-based medium-sized company Swedex, one of Europe's leading providers in the field of document presentation with around 300 employees, experienced that a total cloud solution not only poses a security challenge, but can also result in a cost spiral that is sometimes difficult to calculate.


The consequence: the medium-sized company could no longer tolerate the dynamic increase in costs and its dependence on a large cloud provider and instead opted for an independent and significantly cheaper alternative.


The result: after three years in the Microsoft cloud, those responsible returned to on-prem operation. As a result, the integration of used software licences from PREO led to enormous savings of around 100,000 euros in ongoing licence costs. More information on this and other customer cases can be found here.



With PREO, you are relying on an experienced and reputable B2B provider

As one of the pioneers in the European trade in used software licences, particularly from Microsoft, well over 1,000 companies have already benefited from the advantages of audit- and compliance-compliant integration of used volume licences into their IT asset management: